https://bugzilla.redhat.com/show_bug.cgi?id=1877409
Bug ID: 1877409 Summary: perl-dbi: Buffer overlfow on an overlong DBD class name Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: caillon+fedoraproject@gmail.com, hhorak@redhat.com, john.j5live@gmail.com, jorton@redhat.com, jplesnik@redhat.com, kasal@ucw.cz, perl-devel@lists.fedoraproject.org, perl-maint-list@redhat.com, ppisar@redhat.com, rhughes@redhat.com, rstrode@redhat.com, sandmann@redhat.com Target Milestone: --- Classification: Other
A flaw was found in perl-dbi before version 1.643. A buffer overflow on via an overlong DBD class name in dbih_setup_handle function may lead to data be written past the intended limit.
Upstream patch:
https://github.com/perl5-dbi/dbi/commit/36f2a2c5fea36d7d47d6871e420286643460...
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877410
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1877410 [Bug 1877410] perl-DBI: Buffer overlfow on an overlong DBD class name [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created perl-DBI tracking bugs for this issue:
Affects: fedora-all [bug 1877410]
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1857388
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|perl-dbi: Buffer overlfow |CVE-2020-14393 perl-dbi: |on an overlong DBD class |Buffer overlfow on an |name |overlong DBD class name Alias| |CVE-2020-14393
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2020-14393 perl-dbi: |CVE-2020-14393 perl-dbi: |Buffer overlfow on an |Buffer overflow on an |overlong DBD class name |overlong DBD class name
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
--- Doc Text *updated* by Todd Cullum tcullum@redhat.com --- A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877959, 1877956, 1877957, | |1877958
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
--- Comment #4 from Todd Cullum tcullum@redhat.com --- External References:
Advisory: https://metacpan.org/pod/distribution/DBI/Changes#Changes-in-DBI-1.643-...
https://bugzilla.redhat.com/show_bug.cgi?id=1877409 Bug 1877409 depends on bug 1877410, which changed state.
Bug 1877410 Summary: CVE-2020-14393 perl-DBI: Buffer overlfow on an overlong DBD class name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1877410
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
--- Comment #5 from Todd Cullum tcullum@redhat.com --- Marked the CVSS score as 4.4 for products as there would only be a temporary risk to availability and low risk to data integrity due to binary protections shipped with the products.
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A buffer overflow was found in perl-DBI before version 1.643 in DBI.xs. This flaw allows a local attacker who can supply a string longer than 300 characters to cause an out-of-bounds write. The highest threat from this vulnerability is to integrity and system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1877409
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2021-11-02 17:26:38
perl-devel@lists.fedoraproject.org